Risky Bulletin: Contactless payment card relay fraud booms in Russia - Risky Bulletin

Summary6 min read

Risky Bulletin: Contactless Payment Card Relay Fraud Booms in Russia
Hosted by risky.biz | Released on January 23, 2025

Introduction
In this episode of Risky Bulletin, host Claire Aird delves into the latest cybersecurity threats and developments shaping the digital landscape. From a surge in contactless payment fraud in Russia to groundbreaking vulnerabilities in widely-used technologies, the bulletin provides an in-depth analysis of current cyber risks and protective measures.

1. Surge in Contactless Payment Card Relay Fraud in Russia
Timestamp: [00:04]

Russian citizens have reportedly lost over 40 million rubles (approximately US$400,000) due to a significant increase in contactless payment card relay fraud. According to the Russian security firm FACT, there have been more than 400 NFC relay attacks within the past two months alone. This alarming trend follows the initial appearance of NFC relay attacks in Chechnya in late 2023.

The attack mechanism involves deceiving users into downloading a malicious Android application that incorporates a modified version of NFCgate, an open-source tool originally designed for academic research. This malicious app prompts users to scan their payment cards and enter PIN codes, which are then intercepted and used to withdraw funds from ATMs in real-time or tokenized for future online transactions.

Claire Aird notes, “FACT says it's seeing increased chatter in criminal forums about the technique, along with plans to create a malware-as-a-service platform to automate future attacks” [00:45]. The scalability of these attacks poses a growing threat to both individual users and financial institutions across Russia.

2. Russian Internet Watchdog Demands Real Names from Social Media Influencers
Timestamp: [02:10]

Russia's Internet watchdog, ROSCOM Nadzor, has intensified its efforts to regulate social media by requiring popular accounts with over 10,000 subscribers to register their real names with the agency by the beginning of the year. Failure to comply has resulted in these accounts being barred from monetizing their channels through advertisements.

This directive impacts a broad range of online personalities, including bloggers, Telegram channel operators, and other social media influencers. Claire Aird highlights, “The provision covers online bloggers, Telegram channels, and social media accounts, aiming to tighten government oversight over digital content creators” [03:05].

3. Cyber Attack Disrupts Operations at Government Contractor Conduent
Timestamp: [04:30]

Government technology contractor Conduent experienced a debilitating cyber attack earlier this year, which disrupted its systems and affected services in states like Oklahoma and Wisconsin. Conduent manages critical state systems, including Medicaid, child support, and food assistance programs.

The restoration process has been ongoing, with Conduent working diligently to mitigate the impact and enhance its cybersecurity defenses to prevent future incidents.

4. Appeals Court Vacates Sentence of Pompompurin from Breach Forums
Timestamp: [06:15]

An appeals court has vacated the sentence of Brian Connor Fitzpatrick, known online as Pompompurin, the administrator of the cybercrime platform Breach Forums. Initially sentenced to time served and 20 years of supervised release, the court deemed the sentence inadequate, prompting a resentencing in a lower court.

DOJ prosecutors argue that the judge "abused her discretion in handing down a sentence far less than the 15-year minimum the initial charges required" [07:00], citing the severity of Pompompurin's involvement in facilitating cybercrime activities through Breach Forums.

5. Chinese APT Group Compromises South Korean VPN Provider IP Any
Timestamp: [08:40]

A sophisticated Chinese Advanced Persistent Threat (APT) group has successfully infiltrated the South Korean VPN provider IP Any. They replaced the legitimate VPN installer with malware, active from November 2023 to May 2024, infecting users who downloaded the compromised client with a backdoor named Slow Stepper.

Additionally, Eset reports that the group has hijacked legitimate updates for certain Chinese applications, expanding their malicious activities beyond VPN services.

6. Emergence of 'JMagic' Malware Targeting Juniper Enterprise Routers and VPN Gateways
Timestamp: [10:25]

JMagic, a newly identified advanced malware, has been detected on Juniper enterprise routers and VPN gateways since September 2023. According to Lumen, the malware employs a series of magic packets and a certificate-based challenge to gain control over compromised devices. To date, there is no attribution linking JMagic to any known threat actors.

Claire Aird emphasizes, “JMagic uses a series of magic packets and a certificate-based challenge before allowing attackers to compromise the devices” [11:00], highlighting the complexity and stealth of this threat.

7. SonicWall Addresses Critical Zero-Day Vulnerability in SMA 1000 Security Gateways
Timestamp: [12:50]

SonicWall has issued a patch for an actively exploited zero-day vulnerability in its SMA 1000 security gateways. The vulnerability, rated 9.8 out of 10 in severity, is a pre-authentication deserialization attack that allows execution of malicious commands on affected devices.

With over 2,300 SonicWall SMA appliances exposed on the internet, the urgency for administrators to apply the patch is paramount to prevent potential exploits.

8. PortSwigger Introduces the 'Cookie Sandwich' Attack Technique
Timestamp: [14:30]

PortSwigger has unveiled a novel attack method termed the Cookie Sandwich. This technique exploits how web servers handle cookies containing special characters, allowing malicious client-side scripts to access and exfiltrate cookie data. The attack effectively bypasses the HTTP-only flag, which is designed to prevent scripts from interacting with cookies.

"The Cookie Sandwich technique manipulates cookie parsing to expose sensitive information that should remain secure," explains Claire Aird [15:10]. This advancement underscores the evolving sophistication of web-based attacks.

9. Cache Poisoning Vulnerability Discovered in Next.js Framework
Timestamp: [16:05]

Security researcher Alam Rashid has identified a cache poisoning attack within the popular JavaScript framework Next.js. This vulnerability allows attackers to execute cross-site scripting (XSS) attacks on web applications built with Next.js, impacting sectors such as cryptocurrency, e-commerce, and financial technology.

Rashid successfully earned a six-figure bounty by reporting the issue to multiple bug bounty programs before its patch in October of the previous year.

10. Vulnerability in Subaru's Starlink In-Car Technology
Timestamp: [17:50]

Two security researchers have uncovered a critical vulnerability in Subaru's Starlink in-car technology. The flaw permits remote actors to start or stop the vehicle, lock or unlock doors, and access the car's location data. Exploiting this vulnerability required minimal personal information, such as an email address, phone number, or license plate number.

While Subaru has confirmed that there is no evidence of the vulnerability being exploited in the wild, the company has since patched the issue to enhance vehicle security.

11. UK Government Launches Digital Identity Documents and Wallet App
Timestamp: [19:30]

The UK government is set to roll out digital identity documents, including digital driver's licenses and veteran cards, later this year. Alongside these documents, a digital wallet app will be introduced, allowing users to securely store and present their identification for online and in-person verification purposes.

This initiative aims to streamline identity verification processes and bolster security in digital transactions.

12. Google's New Android Security Feature Enhances Data Protection
Timestamp: [21:15]

Google has announced a cutting-edge security feature for Android devices that prompts users for biometric authentication when their phone moves away from a trusted location. This prompt is activated when accessing sensitive areas such as phone settings and account data.

According to Google, the feature is designed to "protect the user's data in the case of a device's theft," adding an additional layer of security beyond traditional passcodes and fingerprint recognition.

13. LinkedIn Premium Users Sue Microsoft Over AI Data Usage
Timestamp: [23:00]

A group of LinkedIn Premium users has initiated a lawsuit against Microsoft, alleging that the company used their private messages to train its AI models without proper consent. The plaintiffs claim that Microsoft failed to notify users or provide an option to opt out of data usage for AI training purposes.

Furthermore, users assert that when Microsoft’s actions were exposed, the company subtly altered its privacy policy to rationalize the unauthorized data utilization.

Conclusion
This episode of Risky Bulletin underscores the dynamic and multifaceted nature of cybersecurity threats in 2025. From sophisticated fraud schemes and regulatory changes to groundbreaking vulnerabilities and legal battles over data privacy, the bulletin highlights the critical need for continuous vigilance and adaptive security strategies. Stay informed and proactive to navigate the evolving cyber threat landscape effectively.

Prepared by Catalyn Kim and Panu, read by Claire Aird.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Contactless payment card relay attacks spread across Russia an appeals court sends Pompompurin back for another sentence, a Chinese APT pulls off yet another supply chain attack and researchers disclose a new cookie sandwich technique. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 24th of January and this podcast episode is brought to you by Resourcely, the company that can help you manage Terraform securely. In today's top story, Russians have lost over 40 million rubles in contactless payment card relay fraud. Russian security firm FACT says it's seen over 400 NFC relay attacks in the last two months. In the wild, NFC relay attacks were first seen in chechia in late 2023. The scheme works by tricking users into installing a malicious Android app on their devices. The malicious app contains a version of NFCgate, an open source app developed for academic research that can copy and relay a card's NFC data stream to a remote device. Attackers use the malicious app to prompt users to scan their cards and even enter their PIN codes. This data is stolen and used to withdraw funds from ATMs in real time or tokenized for online transactions at a later date. FACT says it's seeing increased chatter in criminal forums about the technique, along with plans to create a malware as a service platform to automate future attacks. At scale, 40 million rubles is about US$400,000. Russia's Internet watchdog wants social media networks to suspend popular accounts that have not provided proof of identity to the government. The ROSCOM Nadzor ordered social media personalities with over 10,000 subscribers to register their real names with the agency by the start of the year. Currently, accounts that have failed to do so cannot monetize their channels through ad. The provision covers online bloggers, Telegram channels and social media accounts. Government technology contractor Conduent has restored systems after a cyber attack crippled it at the start of the year. The company runs state systems providing Medicaid, child support, food assistance and more. The incident has impacted conduit services in Oklahoma and Wisconsin. An appeals court has vacated the sentence of Pompompurin, administrator of cybercrime platform Breach forums Brian Connor Fitzpatrick was initially actually sentenced to time served and 20 years of supervised release. The prosecution appealed the original sentence and his case has been sent back to a lower court for re sentencing. DOJ prosecutors claim the judge abused her discretion in handing down a sentence far less than the 15 year minimum the initial charges required. A Chinese APT group has compromised South Korean VPN provider IP Any and replaced its installer with malware. The malicious installer was live from November 2023. May 2024. Users who downloaded the VPN client were infected with a feature rich backdoor named Slow Stepper. Eset says the group was also involved in hijacking legitimate updates for some Chinese applications. Advanced malware has been spotted on Juniper enterprise routers and VPN gateways named JMagic. The backdoor has been used in attacks since September 2023. Lumen says JMagic uses a series of magic packets and a certificate based challenge before allowing attackers to to the compromised devices. The company has not linked the malware to any known threat actor. Sonicwall has patched an actively exploited zero day in its SMA 1000 security gateways. The zero day is a pre authentication deserialization attack that can run malicious commands on the device. The vulnerability has a severity rating of 9.8 out of 10. Over 2,300 SonicWall SMA appliances are currently exposed on the Internet and vulnerable to attacks. Portswigger has developed a new technique called the Cookie Sandwich that can expose cookies to malicious client side scripts. The attack manipulates how web servers parse and handle cookies that contain special characters. The technique also bypasses HTTP only, a security flag that blocks local scripts from interacting with cookies. Threat actors can abuse the Cookie sandwich technique to exfiltrate cookies from servers, browsers and backends. Security researcher Alam Rashid has discovered a cache poisoning attack in next JS, a popular JavaScript framework. Rashid says the technique allowed him to mount cross site scripting attacks on web apps built using the framework, such as Crypto, E Commerce and fintech Systems. The researcher made a six figure sum by reporting the issue to multiple bug bounty programs before the issue was patched last October. Two security researchers have found a vulnerability in Subaru's starlink in car technology. The researchers say they could remotely start or stop a vehicle, lock or unlock its doors and retrieve the car's position. Exploiting the vulnerability required only minimal data such as an email address, phone number or license plate. The issue was patched last year. Subaru says it did not find evidence it was ever exploited. The UK government is launching digital identity documents. Digital driver's licences and veteran cards will launch later this year with other documents following. The government is also launching a digital wallet app where the documents can be stored and used to prove a user's age online and in the real world. Google has announced a new Android security feature that will prompt for biometric authentication when the user's phone travels away from a trusted location the new authentication prompt will show up when the user wants to access a phone's settings and account data. Google says the feature is designed to protect the user's data in the case of a device's theft. And finally, A group of LinkedIn Premium users have filed a lawsuit against Microsoft for using their private messages to train its AI models. The lawsuit alleges Microsoft trained its models with the data without notifying users or giving them a way to opt out. Users claim that when the company's actions were revealed, it quietly changed its privacy policy to justify its actions. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Resourcely. Find them@resourcely IO. Thanks for your company.